Tuesday, August 18, 2015

Crypto Where?

   It's that scary moment...  You're getting some work done on your computer when you see a dreaded pop-up message:

   CryptoLocker, CryptoWall and other crypto-/ransom-ware has been in the news again (or still?).  This kind of malware attack was first identified in 2013.  Rather than trying to steal information, the malware encrypts your files.  But you don't have the key to decrypt.  The attacker offers, through a pop-up message, to "sell" you the "service" to unlock your files.  To make things worse, the attacker threatens to delete the keys after a set amount of time, typically 72 hours, which could prevent you from recovering the files.

   These ransom-ware viruses are usually sent to your computer as an email attachment.  The attachment can be an office file, pdf, zip file or other file.  The malware can also come from an infected web link.

   When your computer is infected, the virus operates quietly in the background, encrypting files.  You usually won't know there's a problem until the files are encrypted, and then you're in trouble.

   So if you are infected and encrypted... then what?  Well, there's bad news, good news, more bad news and some more potentially good news!

  The bad news is that many variants of this malware use strong encryption.  That means that without the encryption keys it is not feasible to decrypt your files.  After all, isn't that the point of encryption?... to make it difficult or impossible for an "outsider" to read your files?  Unfortunately, in this case you are the "outsider".  Many individuals and organizations have paid the ransom to get the keys to decrypt their data.  This may be your only option.  However, remember that you are dealing with criminals so there are no guaranteed results even if you do pay.

   The good news is that there has been a great deal of analysis done on this kind of malware.  There are free and inexpensive resources you can use to recover your files if you get hit.  For one thing, if you act quickly, your backups may not have been infected (you do back up your data, right???).  In this case, you may be able to remove the virus and restore your files from backup.  But even if that's not possible, there are methods you can use for some of these malware variants:

CryptoLocker; CryptoWall (old and new); CoinVaultFBI Ukash MonkeyPak; RansomLock; other law enforcement themed ransomware.

   The additional bad news is that none of the methods listed above (including paying the ransom) are simple nor guaranteed to work.  The best defense here is prevention... either prevention from getting the malware in the first place (that means practicing good online and email hygiene), or "after the fact" prevention by acting as quickly as possible when you realize you are infected.

   The last bit of potentially good news is that there are additional preventative steps you can take.  These include: backing up your files; using anti-virus/anti-malware software; practicing good online hygiene with email, surfing and links; and watching out for phishing.  I've spoken about these and provided tips here, here and here.  At the office, be sure you are following policy, don't install anything unauthorized software, connect to the company network regularly to get updates, report any problems or strange computer activity as soon as possible, keep laptops and mobile devices close and under your control.

   See these PC World articles or this Microsoft article for more info.

No comments:

Post a Comment